Demystifying SDR Hacking: A Deep Dive into Wireless Protocols Part:5

KISHORERAM
Radio Hackers

Published in
5 min readOct 14, 2023

Introduction to Pagers

A pager is a wireless telecommunications device that receives and displays alphanumeric or voice messages. Despite the prevalence of smartphones and the internet, pagers are still in use today, especially in hospitals and emergency services, due to their reliability and extensive coverage.
Identify Pager Signals https://www.sigidwiki.com/wiki/POCSAG

Source:https://spectrum.ieee.org/

Pager Frequencies

Pagers typically operate on specific frequencies. The frequency ranges for different paging bands are as follows:

  • HF-High/VHF-Low Band: 25 MHz — 54 MHz
  • VHF Mid Band: 66 MHz — 88 MHz
  • VHF High Band: 138 MHz- 175 MHz
  • UHF: 406 MHz — 422 MHz
  • UHF High: 435 MHz — 512 MHz
  • ‘900’ Band: 929 MHz — 932 MHz

Virtual Audio Cable

To transfer audio streams from one application to another (for example, from your SDR software to PDW), you’ll need a virtual audio cable. Virtual Audio Cable is a software product that allows a user to transfer audio streams from one application to another. It creates a set of virtual audio devices, each simulating an audio adapter. You can download Virtual Audio Cable by using the link below.

https://www.vb-audio.com/Cable/

POCSAG Protocol

One of the common protocols used for transmitting pager messages is the POCSAG (Post Office Code Standardisation Advisory Group) protocol. It’s a one-way 2FSK paging protocol that supports 512, 1200, and 2400 bps.

FLEX Protocol

FLEX (Flexible Wide Area Paging Protocol) is another high-speed one-way paging protocol that was developed by Motorola. FLEX can transmit numeric, alphanumeric, and binary data. It uses either 2FSK or 4FSK.The 2FSK speeds are 1600 bps and 3200 bps, while the 4FSK speeds are 3200 bps and 6400 bps.

Decoding with RTL-SDR and PDW

To decode these signals, we can use software-defined radios like RTL-SDR in combination with specific decoding software. One such software is PDW (Paging Decoder Software), which is capable of decoding POCSAG, FLEX, ACARS, MOBITEX & ERMES. You can download PDW by using the link below.

https://www.discriminator.nl/pdw/index-en.html
Source:https://www.rtl-sdr.com/

What is DMR?

DMR, or Digital Mobile Radio, is a digital two-way radio standard. It’s used for voice and data transmission in non-public radio networks and was created by the European Telecommunications Standards Institute (ETSI). DMR is designed to be low-cost and easy to use. It’s widely used by various businesses and organizations, including those in the public sector, government, healthcare, transportation, and industrial sectors.

Source:https://procom2way.com/

Digital Mobile Radio (DMR) operates between 30 MHz and 1000 MHz. This range is divided into two categories:

  • Very High Frequency (VHF): 30 MHz to 300 MHz
  • Ultra High Frequency (UHF): 300 MHz to 1 GHz
https://www.sigidwiki.com/wiki/Digital_Mobile_Radio_(DMR)

Decoding DMR Data

DSD Plus

https://www.dsdplus.com/download-2/ 

DSD+ is a Win32 application capable of reliably decoding multiple types of digital audio formats commonly found on VHF, UHF and 800 MHz. It can also be used to decode LRRP signals from Motorola (MOTOTRBO/DMR) radio signals, which can broadcast GPS coordinates every few minutes or on request. This is useful for tracking a fleet of vehicles for instance.

You can refer this link to know more about DMR Decoding

https://www.rtl-sdr.com/rtl-sdr-radio-scanner-tutorial-decoding-digital-voice-p25-with-dsd/

Spy on Monitor

Spying on a monitor with Software Defined Radio (SDR) involves intercepting and decoding the unintentional radio emissions from a computer screen, allowing one to view the screen’s content remotely.

What is TempestSDR?

TempestSDR is an open-source project that allows you to use any Software Defined Radio (SDR) that supports ExtIO, such as RTL-SDR, Airspy, SDRplay, HackRF, to receive the unintentional signal radiation from a screen and convert that signal back into a live image. This unique capability allows you to view what is being displayed on a screen without any physical connections.

How does it work?

TempestSDR works by exploiting the unintentional radio emissions from a computer monitor. These emissions are generated because raster video is usually transmitted one line of pixels at a time, encoded as a varying current. This process generates an electromagnetic wave that can be picked up by a Software Defined Radio (SDR) receiver.

Video played or executable that is running in victim machine

The TempestSDR software then maps the received field strength of a pixel to a grayscale shade in real-time, creating a false color estimate of the original video signal. This allows you to view what is on a screen without any physical connections.

The toolkit uses unmodified off-the-shelf hardware, which makes it cost-effective and portable. It also includes features for additional post-processing to improve the signal-to-noise ratio. One of the key advantages of TempestSDR is that the attacker does not need to have prior knowledge about the target video display. All parameters such as resolution and refresh rate are estimated automatically by the software.

https://github.com/martinmarinov/TempestSDR

Thanks For Reading :)

Don’t miss out on my upcoming articles! Follow me on Medium for more insightful content. Clap and share this article to spread the knowledge among fellow bug bounty hunters and cybersecurity enthusiasts.

If you have any further questions or would like to connect, feel free to reach out to me

My LinkedIn handle: https://www.linkedin.com/in/kishoreram-k/

KISHORERAM
Radio Hackers

Cybersecurity & Networking enthusiast | Avid learner| Looking for opportunities